Matrix Banker is a banking trojan identified in May 2017 targeting banking institutions in Latin America, including Mexico and Peru. The trojan's initial loader sets persistence through Registry Run and extracts and injects a DLL into Chrome, Edge, Firefox, or Internet Explorer, which is used to establish a man-in-the-browser (MitB) capability. Matrix Banker then calls to its C2 server to retrieve the web injection configuration. Responses from the C2 are encrypted with Salsa20 algorithm, Petya ransomware also used Salsa20 to encrypt victims' Master File Tables. To infect users, it redirects them to a phishing page masquerading as the legitimate web page of a banking institution, attempting to convince users to input their banking credentials. Matrix Banker is currently distributed by the Beta Bot botnet.
- Arbor Networks provides technical details of Matrix Banker, here.